• First services declared by multiple cloud infrastructure providers
  • Clear steps to GDPR compliance verified by independent Monitoring Bodies
  • Goes beyond GDPR requirements, by offering customers choice to store and process data in the European Economic Area
  • Code to form basis of GAIA-X Verifiable Credentials

3rd February 2022. Brussels. Today, CISPE, the voice of Cloud Infrastructure Service Providers in Europe, announced that companies including Aruba, AWS (Amazon Web Services), Elogic, Leaseweb, Outscale and OVHCloud are the first of its members to declare services to be compliant with its Code of Conduct for Data Protection. The CISPE Code of Conduct for Data Protection in Cloud Infrastructure (CISPE Code), validated by the European Data Protection Board (EDPB) and approved by the French Data Protection Authority (CNIL), is the first General Data Protection Regulation (GDPR) code of conduct specifically designed for cloud infrastructure service providers.

All the services declared must be verified by one of the three independent monitoring bodies accredited by the CNIL: Bureau Veritas, LNE and EY CertifyPoint. The controlled adherence by independent monitoring bodies provides cloud infrastructure customers with an added level of assurance when developing GDPR compliant services in the cloud.

Clear steps to compliance, verified by independent Monitoring Bodies

As a compliance tool validated by data protection authorities, the CISPE Code provides additional assurance that cloud services can be used in compliance with the GDPR. For the first time industry players can declare compliant services under the supervision of independent monitoring bodies accredited by CNIL as the supervisory authority.

Jatin Sehgal, Managing Director, EY CertifyPoint said; “We work with various international standards as a certification and a monitoring body. The CISPE Code, with its industry focus, options for sovereign data processing, and independent governance and accreditation mechanism stands out as a leading practice in the industry.”

“Our members are focused on helping organisations of all types to build and deliver cloud-based applications and services with confidence in their data protection credentials,” said Alban Schmutz, chairman of CISPE. “Our work in defining the CISPE code provides an enhanced level of GDPR assurance to any customers, from SMEs to major corporations, using CISPE Code Compliant services.”

Pioneering Data Protection and Processing Customer Data Exclusively in Europe

As discussions around sovereignty and Europe’s capacity for strategic autonomy in key digital markets gain momentum, the CISPE Code is the first tool approved by the EDPB to go beyond the requirements of GDPR by certifying services to ensure no reuse of customer data, and to give customers the choice to use services to store and process customer data exclusively in the European Economic Area (EEA).

Automated Compliance and partnership with GAIA-X

A key objective of the GAIA-X project is to provide automated compliance to digitally build transparency and trust. Together with GAIA-X CTO Office, CISPE has used its Code of Conduct for Data Protection to issue verifiable credentials following the W3C standard.

These allow GAIA-X to automatically verify claims of compliance to provisions regarding data protection and data location.

Pierre Gronlier, CTO of GAIA-X AISBL, added, “To accelerate our European digital transformation and self-determine our level of autonomy, building transparency and trust in digital services based on objective elements, through the definition of a process and specific compliance rules is key.

“The work we’ve done with CISPE to use its Code of Conduct that can be verified by technology creates a powerful and tangible illustration of exactly how this can be done.”

This mechanism will be made available to other codes of conducts or compliance mechanisms and help GAIA-X to verify claims on cloud services against security, portability or sustainability. In particular, CISPE will offer its members the same mechanisms of other self-regulatory tools it has helped to develop including the Climate Neutral Data Centre Pact and the 10 Principles of Fair Software.

For further information, please contact Simona Romeo at sr@cispe.cloud